*** Welcome to piglix ***

3D Secure


3-D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions. It was originally developed by Arcot Systems (now CA Technologies) and first deployed by Visa with the intention of improving the security of Internet payments and is offered to customers under the name Verified by Visa. Services based on the protocol have also been adopted by MasterCard as MasterCard SecureCode, and by JCB International as J/Secure. American Express added 3-D Secure on November 8, 2010, as American Express SafeKey, in select markets and continues to launch additional markets. Analysis of the protocol by academia has shown it to have many security issues that affect the consumer, including greater surface area for phishing and a shift of liability in the case of fraudulent payments.

3-D Secure adds an authentication step for online payments.

The basic concept of the protocol is to tie the financial authorization process with an online authentication. This additional security authentication is based on a three-domain model (hence the 3-D in the name itself). The three domains are:

The protocol uses XML messages sent over SSL connections with client authentication (this ensures the authenticity of both peers, the server and the client, using digital certificates).

A transaction using Verified-by-Visa or SecureCode will initiate a redirection to the website of the card issuing bank to authorize the transaction. Each issuer could use any kind of authentication method (the protocol does not cover this) but typically, a password-based method is used, so to effectively buy on the Internet means using a password tied to the card. The Verified-by-Visa protocol recommends the bank's verification page to load in an inline frame session. In this way, the bank's systems can be held responsible for most security breaches. Today, with the ease of sending white-listed text messages from registered bank senders, it is easy to send a one-time password as part of an SMS text message to users' mobile phones and emails for authentication, at least during enrollment and for forgotten passwords.


...
Wikipedia

...